Security researchers at Senrio have found a vulnerability that could enable hackers to access the video feeds of millions of surveillance cameras sold by Axis Communications. They’ve named it ‘Devil’s Ivy’, because, like the plant, it is hard to eliminate and spreads quickly.

In a blog post, the researchers write that the flaw, which they uncovered while investigating the cameras’ Simple Object Access Protocol (SOAP) code, “results in remote code execution and was found in an open-source third-party code library from gSOAP”.

“When exploited,” they add, “it allows an attacker to remotely access a video feed or deny the owner access to the feed.”

The Senrio team said that the Devil’s Ivy vulnerability was initially found in Axis Communications’ M3004 security camera and that they disclosed it to the manufacturer. Axis then informed Senrio that the flaw was in fact present in 249 distinct camera models, the exceptions being three of its older cameras, but the manufacturer was quick to address the problem head-on.

Impact goes far beyond Axis

But Senrio warned that the impact goes “far beyond” cameras from Axis. The communication layer that the vulnerability uses, an open source third-party toolkit called gSOAP, is widely used by developers around the world as part of the software stack that enables devices of all kinds to ‘talk’ to the internet.

“Software or device manufacturers who rely on gSOAP to support their services are affected by Devil’s Ivy, though the extent to which such devices may be exploited cannot be determined at this time,” they write.

Servers are more likely to be exploited, they maintain, but clients (such as IoT devices) can be vulnerable as well, if they receive a SOAP message from a malicious server.

To help understand the magnitude and reach of this vulnerability, the company turned to Genivia, the company that manages gSOAP. Genivia claims that the code has been downloaded over one million times and counts IBM, Microsoft, Adobe and Xerox as customers.

“Once gSOAP is downloaded and added to a company’s repository, it’s likely used many times for different product lines,” Senrio researchers said. “It is likely that tens of millions of products – software products and connected devices – are affected by Devil’s Ivy to some degree.”

Genivia has now released a patch. In the meantime, Senrio is warning that all cameras vulnerable to Devil’s Ivy are potentially exploitable. “Devices like security cameras should be connected to a private network, which will make exploitation much more difficult,” the company recommends.

It advises that patches to devices should be made as soon as possible: “If this is not within your control, place other layers of security between your vulnerable device and the external internet.”